Udostępnij za pośrednictwem

[WinDbg Command]!drvobj

  • Artykuł

!drvobj 명령을 사용하면 특정 DriverObject 의 정보를 볼 수 있습니다. Windows 2000 이상의 경우 Driver 의 이름만 알고 있다면 정보를 볼 수 있습니다. 특정 Driver 가 Hook 되어 있는지를 알고자 할때 아래의 명령을 사용하면 해당 Driver 의 Major Function 이 올바른지 확인할 수 있습니다.

lkd> !drvobj ntfs 2
Driver object (89ae3888) is for:
*** ERROR: Module load completed but symbols could not be loaded for sptd.sys
\FileSystem\Ntfs
DriverEntry:   f7bd7184 Ntfs!GsDriverEntry
DriverStartIo: 00000000 
DriverUnload:  f7527164 sptd
AddDevice:     00000000

Dispatch routines:
[00] IRP_MJ_CREATE                      89ba11e8 +0x89ba11e8
[01] IRP_MJ_CREATE_NAMED_PIPE           804fb709 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       89ba11e8 +0x89ba11e8
[03] IRP_MJ_READ                        89ba11e8 +0x89ba11e8
[04] IRP_MJ_WRITE                       89ba11e8 +0x89ba11e8
[05] IRP_MJ_QUERY_INFORMATION           89ba11e8 +0x89ba11e8
[06] IRP_MJ_SET_INFORMATION             89ba11e8 +0x89ba11e8
[07] IRP_MJ_QUERY_EA                    89ba11e8 +0x89ba11e8
[08] IRP_MJ_SET_EA                      89ba11e8 +0x89ba11e8
[09] IRP_MJ_FLUSH_BUFFERS               89ba11e8 +0x89ba11e8
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    89ba11e8 +0x89ba11e8
[0b] IRP_MJ_SET_VOLUME_INFORMATION      89ba11e8 +0x89ba11e8
[0c] IRP_MJ_DIRECTORY_CONTROL           89ba11e8 +0x89ba11e8
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         89ba11e8 +0x89ba11e8
[0e] IRP_MJ_DEVICE_CONTROL              89ba11e8 +0x89ba11e8
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     804fb709 nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN                    89ba11e8 +0x89ba11e8
[11] IRP_MJ_LOCK_CONTROL                89ba11e8 +0x89ba11e8
[12] IRP_MJ_CLEANUP                     89ba11e8 +0x89ba11e8
[13] IRP_MJ_CREATE_MAILSLOT             804fb709 nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              89ba11e8 +0x89ba11e8
[15] IRP_MJ_SET_SECURITY                89ba11e8 +0x89ba11e8
[16] IRP_MJ_POWER                       804fb709 nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL              804fb709 nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE               804fb709 nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 89ba11e8 +0x89ba11e8
[1a] IRP_MJ_SET_QUOTA                   89ba11e8 +0x89ba11e8
[1b] IRP_MJ_PNP                         89ba11e8 +0x89ba11e8

Fast I/O routines:
FastIoCheckIfPossible                   f7b8beda Ntfs!NtfsFastIoCheckIfPossible
FastIoRead                              f7b72b57 Ntfs!NtfsCopyReadA
FastIoWrite                             f7b91448 Ntfs!NtfsCopyWriteA
FastIoQueryBasicInfo                    f7b7848e Ntfs!NtfsFastQueryBasicInfo
FastIoQueryStandardInfo                 f7b76f7e Ntfs!NtfsFastQueryStdInfo
FastIoLock                              f7b920f2 Ntfs!NtfsFastLock
FastIoUnlockSingle                      f7b921f8 Ntfs!NtfsFastUnlockSingle
FastIoUnlockAll                         f7bcb6ae Ntfs!NtfsFastUnlockAll
FastIoUnlockAllByKey                    f7bcb7f3 Ntfs!NtfsFastUnlockAllByKey
AcquireFileForNtCreateSection           f7b7283a Ntfs!NtfsAcquireForCreateSection
ReleaseFileForNtCreateSection           f7b72881 Ntfs!NtfsReleaseForCreateSection
FastIoQueryNetworkOpenInfo              f7bb9e1d Ntfs!NtfsFastQueryNetworkOpenInfo
AcquireForModWrite                      f7b7ea10 Ntfs!NtfsAcquireFileForModWrite
MdlRead                                 f7bb9f31 Ntfs!NtfsMdlReadA
MdlReadComplete                         805322b8 nt!FsRtlMdlReadCompleteDev
PrepareMdlWrite                         f7bba2ab Ntfs!NtfsPrepareMdlWriteA
MdlWriteComplete                        8061d1db nt!FsRtlMdlWriteCompleteDev
FastIoQueryOpen                         f7b76db8 Ntfs!NtfsNetworkOpenCreate
AcquireForCcFlush                       f7b726e2 Ntfs!NtfsAcquireFileForCcFlush
ReleaseForCcFlush                       f7b72708 Ntfs!NtfsReleaseFileForCcFlush